b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                       Progress Has Been Made; However,\n                      Significant Work Remains to Achieve\n                        Full Implementation of Homeland\n                        Security Presidential Directive 12\n\n\n\n                                     September 12, 2014\n\n                             Reference Number: 2014-20-069\n\n\n\n\nThis report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n and information determined to be restricted from public release has been redacted from this document.\n\n\n\nPhone Number / 202-622-6500\nE-mail Address / TIGTACommunications@tigta.treas.gov\nWebsite        / http://www.treasury.gov/tigta\n\x0c                                                  HIGHLIGHTS\n\n\nPROGRESS HAS BEEN MADE;                              not scheduled until at least Fiscal Year 2018,\nHOWEVER, SIGNIFICANT WORK                            and only if funding is available. In addition,\nREMAINS TO ACHIEVE FULL                              significant challenges remain in the area of\nIMPLEMENTATION OF HOMELAND                           implementing PIV card electronic authentication\n                                                     for accessing IRS networks and information\nSECURITY PRESIDENTIAL\n                                                     systems. These challenges include many\nDIRECTIVE 12                                         legacy systems and technologies in use at the\n                                                     IRS that are incompatible with PIV cards, and\n\nHighlights                                           limited HSPD-12 staffing and funding for\n                                                     resolving these conflicts.\nFinal Report issued on                               WHAT TIGTA RECOMMENDED\nSeptember 12, 2014\n                                                     TIGTA recommended that the Chief Technology\n                                                     Officer and Chief, Agency-Wide Shared\nHighlights of Reference Number: 2014-20-069          Services, ensure that all IRS facilities are\nto the Internal Revenue Service Chief                equipped with HSPD-12 compliant physical\nTechnology Officer.                                  access control systems. Also, TIGTA\nIMPACT ON TAXPAYERS                                  recommended that the Chief Technology Officer\n                                                     ensure that specific requirements, staffing, and\nIssued in August 2004, the Homeland Security         scheduling are identified and adequate funding\nPresidential Directive 12 (HSPD-12), Policy for a    requested to ensure full implementation of\nCommon Identification Standard for Federal           mandatory PIV card access to the IRS network\nEmployees and Contractors, requires Federal          and information systems; issue an IRS-wide\nagencies to issue identity credentials that meet     memorandum to reiterate the requirement for full\nthe HSPD-12 standard and use them for gaining        PIV card adoption; and ensure that HSPD-12\nphysical access to Federally controlled facilities   compliant requirements are integrated in the\nand logical access to Federally controlled           IRS\xe2\x80\x99s lifecycle management process to ensure\ninformation systems. Without full                    that new and existing systems implement this\nimplementation of HSPD-12 compliant                  requirement.\nauthentication, IRS facilities, networks, and\ninformation systems are at an increased risk of      The IRS agreed with all of our recommendations\nunauthorized access.                                 and has planned appropriate corrective actions\n                                                     to address them. The IRS plans to continue to\nWHY TIGTA DID THE AUDIT                              implement HSPD-12 compliant access control\n                                                     systems at IRS facilities, identify and oversee\nThis audit was initiated to determine the IRS\xe2\x80\x99s      funding needed to support full implementation of\nprogress in implementing HSPD-12                     HSPD-12, issue an IRS-wide memorandum\nrequirements for accessing IRS facilities and        reiterating the requirements for full adoption of\ninformation systems. The U.S. Department of          PIV card access to the IRS network and\nthe Treasury has set a goal for its bureaus to       information systems, and ensure that HSPD-12\nachieve 100-percent HSPD-12 compliance by            requirements are integrated into the IRS\xe2\x80\x99s\nFiscal Year 2015. In Fiscal Year 2012, the           enterprise lifecycle development processes.\nAdministration identified HSPD-12 as a\nCross-Agency Priority initiative needed to\nimprove the security of Federal data.\nWHAT TIGTA FOUND\nThe majority of the IRS workforce has been\nissued HSPD-12 compliant Personal Identity\nVerification (PIV) cards. However, full\nimplementation of PIV card electronic\nauthentication for accessing IRS facilities is\n\x0c                                            DEPARTMENT OF THE TREASURY\n                                                 WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                         September 12, 2014\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                       Michael E. McKenney\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Progress Has Been Made; However, Significant\n                             Work Remains to Achieve Full Implementation of Homeland Security\n                             Presidential Directive 12 (Audit # 201420003)\n\n This report presents the results of our review of the Internal Revenue Service\xe2\x80\x99s (IRS) progress in\n implementing Homeland Security Presidential Directive 12 requirements for accessing IRS\n facilities and information systems. This audit was initiated as part of the Treasury Inspector\n General for Tax Administration\xe2\x80\x99s Fiscal Year 2014 Annual Audit Plan and addresses the major\n management challenge of Security for Taxpayer Data and Employees.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix V.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. If you have any questions, please contact me or Kent Sagara, Acting\n Assistant Inspector General for Audit (Security and Information Technology Services).\n\x0c                                   Progress Has Been Made; However, Significant\n                                   Work Remains to Achieve Full Implementation of\n                                    Homeland Security Presidential Directive 12\n\n\n\n\n                                              Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 4\n          Personal Identity Verification Cards Have Been\n          Issued to 85 Percent of the Workforce .......................................................... Page 5\n          Personal Identity Verification Card Electronic\n          Authentication for Physical Access Has Been\n          Implemented at 21 Percent of Facilities........................................................ Page 9\n                    Recommendation 1:........................................................ Page 10\n\n          Personal Identity Verification Card Electronic\n          Authentication for Logical Access to the Network\n          Has Been Implemented for Only 5 Percent of the\n          Workforce ..................................................................................................... Page 11\n                    Recommendation 2:........................................................ Page 14\n\n                    Recommendations 3 and 4: .............................................. Page 15\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 16\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 18\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 19\n          Appendix IV \xe2\x80\x93 Internal Revenue Service Personal Identity\n          Verification Card Issuance and Use Graphics .............................................. Page 20\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ....................... Page 23\n\x0c          Progress Has Been Made; However, Significant\n          Work Remains to Achieve Full Implementation of\n           Homeland Security Presidential Directive 12\n\n\n\n\n                   Abbreviations\n\nAWSS        Agency-Wide Shared Services\nFY          Fiscal Year\nHSPD-12     Homeland Security Presidential Directive 12\nIIAM        Internal Identity and Access Management\nIRS         Internal Revenue Service\nOMB         Office of Management and Budget\nPIN         Personal Identification Number\nPIV         Personal Identity Verification\nTIGTA       Treasury Inspector General for Tax Administration\n\x0c                                Progress Has Been Made; However, Significant\n                                Work Remains to Achieve Full Implementation of\n                                 Homeland Security Presidential Directive 12\n\n\n\n\n                                               Background\n\nOn August 27, 2004, President George W. Bush issued\n                                                                Personal Identity Verification\nHomeland Security Presidential Directive 12\n                                                              cards improve security, increase\n(HSPD-12), Policy for a Common Identification                  Government efficiency, reduce\nStandard for Federal Employees and Contractors,                  identity fraud, and protect\nwhich requires agencies to follow specific technical         personal privacy by establishing a\nstandards and business processes for the issuance and           mandatory, Governmentwide\n                                             1                standard for secure and reliable\nroutine use of Federal identity credentials. The goal of\n                                                                   forms of identification.\nthe initiative is to ensure that only authorized personnel\nhave access to Government systems and applications.\nThis creates a more secure enterprise architecture by reducing the opportunity for identity fraud,\nthereby increasing the safety of both Government information and personal privacy.\nOn August 5, 2005, the Office of Management and Budget (OMB) issued policy memorandum\nM-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12 \xe2\x80\x93 Policy for a\nCommon Identification Standard for Federal Employees and Contractors, which outlined\ninstructions for implementing HSPD-12. Federal agencies were to issue and require use of\nidentity credentials meeting the HSPD-12 standard for current employees and contractors no\nlater than October 27, 2007, for gaining physical access to Federally controlled facilities and\nlogical access to Federally controlled information systems. It stated that inconsistent agency\napproaches to facility security and computer security were inefficient and costly, and increased\nrisks to the Federal Government. Successful implementation of the HSPD-12 standard would\nincrease the security of Federal facilities and information systems.\nIn November 2009, the Federal Chief Information Officers Council released the Federal Identity,\nCredential, and Access Management Roadmap and Implementation Guidance to aid Federal\nagencies in implementing HSPD-12. The Federal Identity, Credential, and Access Management\nRoadmap focused on addressing the challenges and design requirements for Governmentwide\nidentity, credential, and access management, and defining and promoting consistency across the\nFederal Government. The Federal Government adopted the Personal Identity Verification (PIV)\ncard as the standard identity credential for Federal employees and contractors and as a key\nelement in moving towards strong authentication.2\nOn February 3, 2011, the OMB issued policy memorandum M-11-11, Continued Implementation\nof Homeland Security Presidential Directive (HSPD) 12 \xe2\x80\x93 Policy for a Common Identification\n\n\n1\n  An identity credential is an object that authoritatively binds an identity (and optionally, additional attributes) to a\ntoken possessed and controlled by an entity.\n2\n  Authentication is the process of verifying that a claimed identity is genuine and based on valid credentials.\n                                                                                                                   Page 1\n\x0c                         Progress Has Been Made; However, Significant\n                         Work Remains to Achieve Full Implementation of\n                          Homeland Security Presidential Directive 12\n\n\nStandard for Federal Employees and Contractors, which required each agency to develop and\nissue an implementation policy through which the agency will require the use of the PIV\ncredentials as the common means of authentication for access to that agency\xe2\x80\x99s facilities,\nnetworks, and information systems. This memorandum stated that the majority of the Federal\nworkforce was in possession of the PIV credentials and, therefore, agencies should aggressively\nstep up their efforts to use the electronic capabilities of the credentials.\nIn Fiscal Year (FY) 2012, the Obama Administration identified HSPD-12 as a strategy within the\nCybersecurity Cross-Agency Priority Goal. The Cross-Agency Priority Goal strategy is intended\nto help monitor the implementation of Federal cybersecurity policies and legislation needed to\nimprove the security of Federal data. As part of the Cybersecurity Cross-Agency Priority Goal\nstrategy, the Obama Administration is monitoring the implementation of PIV-card access to\nFederal information systems. As of the end of FY 2013, the Federal Government as a whole\nreported to have achieved 67 percent implementation of PIV-card access to Federal information\nsystems. The target set for Federal agencies to achieve by the end of FY 2014 is 75 percent\nimplementation.\nThe Department of the Treasury (hereafter referred to as the Treasury Department) issued\nTreasury Directive 71-12 on September 28, 2011, to set policy and define responsibilities for\ncompliance with HSPD-12 with the Treasury Department. The directive required Treasury\nDepartment bureaus to plan and report the status of their PIV credential use for physical and\nlogical access to the Treasury Enterprise Identity Credential and Access Management Program\nExecutive Office.\nThe Internal Revenue Service (IRS) established the Internal Identity and Access Management\n(IIAM) Program Management Office for achieving the implementation of processes,\ntechnologies, and policies to manage user identities throughout their lifecycle, and to meet\nFederal Identity, Credential, and Access Management and Treasury Enterprise Identity\nCredential and Access Management goals. Appendix IV presents a graphic depiction of IRS PIV\ncard issuance and use.\nThe Treasury Inspector General for Tax Administration (TIGTA) has issued the following audit\nreports on the IRS\xe2\x80\x99s efforts to implement the directive. In general, TIGTA reported that progress\nwas slow in implementing HSPD-12 requirements.\n   \xef\x82\xb7   TIGTA, Ref. No. 2007-20-110, Progress Has Been Slow in Meeting Homeland Security\n       Presidential Directive-12 Requirements (Jun. 2007).\n   \xef\x82\xb7   TIGTA, Ref. No. 2008-20-030, Lack of Proper IRS Oversight of the Department of the\n       Treasury HSPD-12 Initiative Resulted in Misuse of Federal Government Resources\n       (Dec. 2007).\n   \xef\x82\xb7   TIGTA, Ref. No. 2009-20-084, The Homeland Security Presidential Directive 12\n       Program Office Has Addressed Prior Weaknesses, but Progress Is Slower Than What\n       Has Been Reported (Jun. 2009).\n                                                                                          Page 2\n\x0c                         Progress Has Been Made; However, Significant\n                         Work Remains to Achieve Full Implementation of\n                          Homeland Security Presidential Directive 12\n\n\n   \xef\x82\xb7   TIGTA, Ref. No. 2012-20-115, Using SmartID Cards to Access Computer Systems Is\n       Taking Longer Than Expected (Sept. 2012).\nThis review was performed with information obtained from the Information Technology\norganization\xe2\x80\x99s Office of Cybersecurity in Charlotte, North Carolina, and Washington D.C.; and\nthe Agency-Wide Shared Services\xe2\x80\x99s (AWSS) Office of Physical Security and Emergency\nPreparedness in Washington D.C., during the period January through June 2014. We conducted\nthis performance audit in accordance with generally accepted government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjective. We believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions based on our audit objective. Detailed information on our audit objective,\nscope, and methodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n                                                                                          Page 3\n\x0c                            Progress Has Been Made; However, Significant\n                            Work Remains to Achieve Full Implementation of\n                             Homeland Security Presidential Directive 12\n\n\n\n\n                                    Results of Review\n\nThe implementation of HSPD-12 is a substantial and complex project at the IRS. The project\nconsists of multiple, interrelated components including implementing interrelated systems for:\n    \xef\x82\xb7   Issuing PIV cards to authorized employees and contractors;\n    \xef\x82\xb7   Using PIV cards to gain physical access to IRS facilities; and\n    \xef\x82\xb7   Using PIV cards to gain logical access to the IRS network and information systems.\nThe Treasury Department has set a goal for its bureaus to achieve 100-percent HSPD-12\ncompliance by FY 2015. The IRS has spent more than $110 million3 to implement HSPD-12\nand has budgeted an additional $19 million for FY 2014. Even so, HSPD-12 project\nmanagement officials cite the lack of sufficient funding and staffing as a main obstacle to\ncompleting full implementation of HSPD-12. The majority of the IRS workforce has been\nissued PIV cards. However, full implementation of physical access controls using PIV card\nelectronic authentication at IRS offices is not scheduled until at least FY 2018, and only if\nfunding is available. In addition, significant challenges remain in the area of implementing\nlogical access controls to IRS networks and information systems using PIV cards. The IRS is\nnot unique in its implementation challenges. Many Federal agencies have experienced\nchallenges in implementing HSPD-12. In March 2013, the OMB reported that not a single\nFederal agency had fully implemented HSPD-12.\nIn our September 2012 TIGTA report on HSPD-12,4 we reported that the IRS had not made\nadequate progress in areas such as implementing HSPD-12 compliant authentication for system\nadministrators and did not conduct required testing or complete key developmental documents\nand processes. During this review, we followed up on these issues and found that the IRS had\ntaken action to conduct testing on its HSPD-12 authentication components and complete key\nproject developmental documents. However, the administrator access issue remains one of the\ntechnological challenges still impeding the IRS\xe2\x80\x99s full implementation of HSPD-12, which we\nwill discuss more fully in the body of our report.\n\n\n\n\n3\n  The IRS could not provide us complete cost information that it expended on HSPD-12 implementation for\nFYs 2005 through 2008; therefore, total implementation cost is likely much higher.\n4\n  TIGTA, Ref. No. 2012-20-115, Using SmartID Cards to Access Computer Systems Is Taking Longer Than\nExpected (Sept. 2012).\n                                                                                                          Page 4\n\x0c                             Progress Has Been Made; However, Significant\n                             Work Remains to Achieve Full Implementation of\n                              Homeland Security Presidential Directive 12\n\n\nPersonal Identity Verification Cards Have Been Issued to 85 Percent\nof the Workforce\nHSPD-12 requires that agencies issue PIV cards, \xe2\x80\x9cto the maximum extent practicable,\xe2\x80\x9d to\nauthorized employees and contractors for use in accessing Government offices and information\nsystems. In accordance with OMB M-05-24, Treasury Department policy states that individuals\nwho require physical access to Federally controlled facilities or electronic access to Government\ninformation systems for more than six months must be issued a PIV card. The Treasury\nDepartment set a goal for its bureaus to sustain their PIV card issuance rates above 90 percent for\nFYs 2011 through 2015.\nThe IRS has made steady progress in issuing PIV cards to its employees and contractors. As of\nFebruary 27, 2014, the IRS\xe2\x80\x99s PIV card database supported that 80,119 PIV cards had been\nissued, or were in the process of being issued, to IRS network users,5 achieving an 85 percent\nissuance rate. The PIV database also listed 14,099 employees and contractors as requiring PIV\ncards but not yet issued, and 7,734 seasonal employees as not requiring PIV cards. Figure 1\nillustrates these figures.\n                    Figure 1: PIV Card Issuance Implementation Status\n\n\n\n                                                                         IRS\xc2\xa0Workforce\xc2\xa0Issued\xc2\xa0Cards\n                                                                         (80,119)\n                                                                         Seasonal\xc2\xa0IRS\xc2\xa0Workforce\xc2\xa0\xe2\x80\x90\xc2\xa0Card\n                                                                         Not\xc2\xa0Required\xc2\xa0(7,734)\n                                                                         IRS\xc2\xa0Workforce\xc2\xa0Not\xc2\xa0Issued\n                                                                         Cards\xc2\xa0(14,099)\n\n\n\n\n       Source: AWSS database containing PIV card data for IRS employees and contractors.\n\nOf the 80,119 IRS workforce who have been issued PIV cards, 79,339 are IRS employees and\n780 are contractors. Of the 14,099 individuals not yet issued PIV cards, 9,503 are IRS\nemployees and 4,596 are contractors. Figures 2 and 3 illustrate these figures.\n\n\n\n5\n Due to employee turnover, the number of network users fluctuates. For example, from February 14, 2014, to\nMay 30, 2014, the number of networks users declined from 94,951 to 94,251.\n                                                                                                         Page 5\n\x0c                                Progress Has Been Made; However, Significant\n                                Work Remains to Achieve Full Implementation of\n                                 Homeland Security Presidential Directive 12\n\n\n              Figure 2: PIV Cards Issued to IRS Employees and Contractors\n\n\n\n\n                                                                                          IRS\xc2\xa0Employees\xc2\xa0(79,339)\n                                                                                          Contractors\xc2\xa0(780)\n\n\n\n\n    Source: AWSS database containing PIV card data for IRS employees and contractors.\n\n           Figure 3: PIV Cards Not Issued to IRS Employees and Contractors\n\n\n\n\n                                                                                            IRS\xc2\xa0Employees\xc2\xa0(9,503)\n                                                                                            Contractors\xc2\xa0(4,596)\n\n\n\n\n    Source: AWSS database containing PIV card data for IRS employees and contractors.\n\nFor issued cards, the IRS must perform maintenance activities, such as periodic card and\ncertificate6 renewals. PIV cards expire every five years and must be renewed. The digital\ncertificate within the card must be rekeyed every three years to keep the certificate up to date and\nthe card operational. As of March 2014, the IRS had renewed more than 58 percent of PIV cards\n\n6\n  A certificate is a data object containing a subject identified, a public key, and other information that is digitally\nsigned by a certification authority. Certificates convey trust in the relationship of the subject identifier to the public\nkey. A public key is the public part of an asymmetric key pair that is typically used to verify signatures or encrypt\ndata.\n                                                                                                                  Page 6\n\x0c                             Progress Has Been Made; However, Significant\n                             Work Remains to Achieve Full Implementation of\n                              Homeland Security Presidential Directive 12\n\n\nthat were expiring during Calendar Year 2014. Also, the IRS had completed certificate rekeys\nfor more than 45 percent of active PIV cardholders for Calendar Year 2014.\nHowever, the IRS has stayed at an 85-percent card issuance rate since FY 2013. Several factors\nhave contributed to the IRS\xe2\x80\x99s inability to achieve a higher percentage.\n    \xef\x82\xb7   The IRS\xe2\x80\x99s disparate identity environment creates data errors that must be manually\n        corrected. Currently, the provisioning of an IRS identity and issuance of a fully\n        functional PIV card is cumbersome, slow, and includes decentralized manual processes\n        and steps. PIV issuance and population of data attributes for the PIV card involve\n        multiple systems at the IRS, Treasury Department, and Federal levels. The IRS also has\n        multiple internal identity-related systems and processes, owned by the IRS Information\n        Technology organization and the AWSS. These include:\n        o Corporate Authoritative Directory Services.\n        o Totally Automated Personnel System.\n        o Human Capital Office.\n        o Career Connector Companion.\n        o Human Resources Reporting Center.\n        o Online 5081.\n        o Active Directory.\n        o Active Roles Server and other key systems.\n        IRS HSPD-12 project staff indicated that the IRS is currently working missing or\n        mismatched data issues for 5,000 employees and contractors that must be resolved before\n        their PIV cards can be issued. Correcting data errors or mismatches requires a lot of\n        manual research and input from multiple separate data sources at the IRS, Treasury\n        Department, and Federal levels. The Treasury Department periodically runs an exception\n        tool to identify employee and contractor records that are affected by missing data\n        elements that prevent the issuance of the PIV card. AWSS staff must work with the\n        sponsors7 of these individuals, or must assign a sponsor, to manually correct records and\n        ensure that all the data elements are in place. However, the sponsor\xe2\x80\x99s actions may be\n        limited within the various systems, and the AWSS staff often must work with the\n        Treasury Department to make corrections for missing or mismatched data elements.\n\n\n\n\n7\n A sponsor acts on behalf of the agency to facilitate the credentialing process by inputting data elements into\nauthoritative information systems. Depending on the applicant\xe2\x80\x99s employment status, a sponsor may be a Federal\nsupervisor, contracting officer, contracting officer\xe2\x80\x99s representative, or other Federal official.\n                                                                                                           Page 7\n\x0c                         Progress Has Been Made; However, Significant\n                         Work Remains to Achieve Full Implementation of\n                          Homeland Security Presidential Directive 12\n\n\n   \xef\x82\xb7   The IRS must manually verify contractor data prior to issuance of PIV cards. Of the\n       14,099 individuals listed as requiring PIV cards but do not have them yet, 4,596 are\n       contractors. The PIV database provided by the IRS showed that only 780 contractors at\n       the IRS have been issued PIV cards. The IRS must retrieve contractor data needed for\n       PIV card issuance from its PIV Background Investigation Process system. The data from\n       this system must be manually verified to ensure that they are correct, that the contractor is\n       still active, and that the contractor is required to be issued a PIV card. Some contractors\n       listed as needing PIV cards may not in fact need them for various reasons, such as they\n       do not require system access, they work at their own facilities, they are custodial, or they\n       may be employed for less than six months.\n   \xef\x82\xb7   IRS offices at remote locations affect the timely issuance of PIV cards due to their\n       distance from credentialing stations. The IRS has about 65 buildings that are located\n       more than 50 miles from credentialing stations. About 338 employees and contractors\n       located in these offices have not been issued PIV cards. These individuals have been\n       issued legacy identification badges that do not require activation and can be shipped to\n       the employee directly. To be issued a PIV card, these employees must travel to a\n       credentialing station that can issue PIV cards. Therefore, correction of this issue may be\n       affected by budget constraints.\n   \xef\x82\xb7   The IRS\xe2\x80\x99s high workforce turnover rate inhibits achieving the PIV card issuance goal.\n       According to AWSS staff, IRS employee records show that its turnover rate has been\n       12 percent and 13 percent since FY 2009. Therefore, some individuals listed as requiring\n       PIV cards may not be onboard for more than six months due to unexpected/early\n       departures. Also, although seasonal employees that are onboard less than six months do\n       not require a PIV card, sometimes they are inaccurately coded in the system as requiring\n       PIV cards, which causes this number to be inflated.\nTo resolve the issues related to data consistency and manual processes that have delayed PIV\ncard issuance, the Treasury Department is implementing an enterprise solution, known as PIV\nData Synchronization, which will synchronize PIV data across the Treasury Department\nenterprise, bureaus, and external Federal systems. The PIV Data Synchronization will integrate\ncard issuance with the hiring process and allow issuance of PIV cards to new employees on their\nfirst day of work, resulting in the security benefits of immediate PIV access to facilities and\ninformation systems for each employee.\nIn addition, the PIV Data Synchronization will provide a central store for contractors and\naccount for all PIV cards issued to contractors within the Treasury Department. It will reduce\nredundancy in systems that support contractor access, establish a single repository to account for\ncontractor policy compliance, and serve as a single source for revocation of a contractor\xe2\x80\x99s\ncredentials/privileges.\n\n\n\n                                                                                             Page 8\n\x0c                              Progress Has Been Made; However, Significant\n                              Work Remains to Achieve Full Implementation of\n                               Homeland Security Presidential Directive 12\n\n\nThe IRS is in the process of building infrastructure to interface directly with the Treasury\nDepartment\xe2\x80\x99s PIV Data Synchronization components.8 The IRS expects that once these systems\ncan interface with each other in real-time, data mismatch problems should largely be resolved,\nmanual processes can be removed, and the secure creation and management of PIV identities\nwill be expedited. The IRS completed the interfaces needed to create IRS employee identities\nand is working to add the interfaces needed to create contractor identities.\nBased on the IRS\xe2\x80\x99s ongoing work to improve its identity management and card issuance\nprocesses, we are not making any recommendations related to PIV card issuance. The IRS\nexpects its infrastructure improvements will help it meet the HSPD-12 mandate.\n\nPersonal Identity Verification Card Electronic Authentication for\nPhysical Access Has Been Implemented at 21 Percent of Facilities\nHSPD-12 requires the use of PIV card electronic authentication for physical access to Federal\nfacilities. OMB\xe2\x80\x99s October 2005 guidance instructed agencies to use appropriate card\nauthentication mechanisms at their facilities and specified \xe2\x80\x9cminimal reliance\xe2\x80\x9d on visual\nauthentication as a sole means of authenticating PIV credentials. OMB\xe2\x80\x99s February 2011\nguidance noted that the majority of the Federal workforce was by then in possession of PIV cards\nand required agencies to increase usage of the electronic capabilities of PIV credentials as the\ncommon means of authentication for access to agency facilities. The Treasury Department set a\ngoal for its bureaus to achieve 100-percent HSPD-12 compliance for physical access by\nFY 2015.\nThe IRS has identified 625 locations within the United States and Puerto Rico which require\nHSPD-12 physical access controls.9 The IRS has implemented PIV card electronic\nauthentication at 130 (21 percent) of these locations and has determined that it will not upgrade\n134 locations for HSPD-12 compliance. The IRS believes the costs of upgrading these locations\nare not justified because these offices either have a lower security level, or may be consolidated\nor closed at some future date. Of the remaining 361 facilities, the IRS estimates that it will not\ncomplete PIV-based electronic authentication until at least FY 2018, and only if funding is\navailable. Figure 4 illustrates these figures.\n\n\n\n\n8\n  The Treasury Department\xe2\x80\x99s PIV Data Synchronization components include HR Connect, Data Management\nService, Treasury Enterprise Directory Service, and USAccess.\n9\n  The IRS has employees located at more than 100 additional international offices; however, the State Department is\nresponsible for implementing HSPD-12 physical access controls at these locations.\n                                                                                                           Page 9\n\x0c                              Progress Has Been Made; However, Significant\n                              Work Remains to Achieve Full Implementation of\n                               Homeland Security Presidential Directive 12\n\n\n                Figure 4: Physical Access Controls Implementation Status\n\n\n                                                                             Implementation\xc2\xa0Completed\n                                                                             (130)\n\n                                                                             Will\xc2\xa0Not\xc2\xa0Implement\xc2\xa0(134)\n\n\n                                                                             Will\xc2\xa0Complete\xc2\xa0Implementation\n                                                                             by\xc2\xa0FY\xc2\xa02018\xc2\xa0or\xc2\xa0Beyond\xc2\xa0(361)\n\n\n\n\n     Source: IRS information on implementing PIV card electronic access at IRS facilities.\n\nThe IRS estimates it requires approximately $123 million and an additional six full-time\nemployees to complete implementation at just the 361 offices it intends to make HSPD-12\ncompliant. Significant additional funding would be required to make compliant the 134 facilities\nfor which the IRS has decided not to make HSPD-12 compliant.\nHSPD-12 does not contain provisions for nonimplementation of PIV-based physical access\ncontrol systems at Federal Government facilities. However, HSPD-12 does suggest that agencies\nimplement PIV-based control systems at higher risk facilities first. Further, the Federal\nInformation Security Management Act of 200210 requires all Federal agencies to plan and budget\nfor information technology security. However, the IRS has not budgeted for the full\nimplementation of PIV-compliant physical access to IRS facilities.\nUntil PIV card authentication for physical access is fully implemented at all IRS offices, the IRS\nfaces an increased risk of unauthorized access at these offices.\n\nRecommendation\nRecommendation 1: The Chief Technology Officer and Chief, Agency-Wide Shared\nServices, should ensure that all IRS facilities are equipped with HSPD-12 compliant physical\naccess control systems and that the prioritized plans to accomplish this are documented and\nregularly reviewed for progress. The Chief Technology Officer should consider making\nHSPD-12 a priority in terms of funding to better allow for its full implementation.\n\n\n10\n  Pub. L. No. 107-347, Title III, 116 Stat. 2899, 2946-2961 (2002) (codified as amended in 44 U.S.C.\n\xc2\xa7\xc2\xa7 3541-3549).\n                                                                                                        Page 10\n\x0c                         Progress Has Been Made; However, Significant\n                         Work Remains to Achieve Full Implementation of\n                          Homeland Security Presidential Directive 12\n\n\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The AWSS\n       will continue to install HSPD-12 compliant access control systems at all IRS facilities\n       once the Information Technology organization receives sufficient funding. The AWSS,\n       in conjunction with the Cybersecurity organization, has developed long-range prioritized\n       plans for the installation of compliant, enterprise-wide physical access control systems in\n       the remaining IRS locations that need them. Additionally, joint executive-level and\n       bi-weekly meetings are conducted to review and discuss status updates, resolution of\n       issues, information technology funding availability, and other pertinent matters. The\n       AWSS maintains and frequently reviews the prioritized lists of locations that are still\n       pending physical access control system deployments, and project status is discussed with\n       the Deputy Commissioner of Operations Support during AWSS Business Performance\n       Reviews.\n\nPersonal Identity Verification Card Electronic Authentication for\nLogical Access to the Network Has Been Implemented for Only\n5 Percent of the Workforce\nHSPD-12 requires agencies to use PIV cards to access Federal networks and information\nsystems. OMB\xe2\x80\x99s 2011 guidance required agencies to step up their efforts to use the electronic\ncapabilities of PIV credentials as the common means of authentication for access to agency\ninformation systems. The Treasury Department set a goal for its bureaus to achieve 100-percent\nHSPD-12 compliance for logical access to networks by FY 2013.\n\nMandatory PIV card authentication to the network has been implemented for only\n5 percent of the workforce\nThe IRS has implemented mandatory use of PIV cards to access its network for only a small\npercentage of its network users. As of May 30, 2014, only 5 percent of employees are required\nto use PIV cards to access the IRS network.\nSeveral challenges have delayed the IRS\xe2\x80\x99s progress in meeting the goals set by the Treasury\nDepartment for mandatory use of PIV cards to access IRS networks.\n   \xef\x82\xb7   The IRS needed to negotiate a National Treasury Employees Union agreement related to\n       mandatory use of PIV cards prior to its implementation. This agreement was not\n       finalized until July 2013.\n   \xef\x82\xb7   The HSPD-12 project has had limited dedicated resources. Most of the technical staff is\n       temporarily assigned to this project. When the Federal Government shutdown was\n       imminent in September 2013, much of this temporary staff was reassigned to other\n       Information Technology organization functions to administer the shutdown of IRS\n       information technology resources. Similarly, after the shutdown ended, these resources\n       were required to deal with information technology systems restart and the numerous\n\n                                                                                          Page 11\n\x0c                         Progress Has Been Made; However, Significant\n                         Work Remains to Achieve Full Implementation of\n                          Homeland Security Presidential Directive 12\n\n\n       helpdesk tickets generated from the shutdown and restart of the information technology\n       systems.\n   \xef\x82\xb7   A solution for administrator access to the IRS network and information systems using a\n       single PIV card and Personal Identification Number (PIN) has yet to be identified, tested,\n       and implemented. Based on HSPD-12 requirements, the General Services\n       Administration established a limit of one identity on each PIV card and one card per\n       person. However, to support the security principle of least privilege, Treasury\n       Department policy requires system administrators to have both an end-user account and\n       one or more elevated privileged accounts to allow the system administrator to use an\n       unprivileged account when not performing privileged actions. The requirement that\n       administrators access the Federal networks and applications with a single PIV card and\n       PIN creates a technological challenge across the Federal Government for an individual\n       who needs both administrative and non-administrative type access to networks and\n       information systems. Various solutions have been proposed to the IRS by the Treasury\n       Department\xe2\x80\x99s Treasury Enterprise Identity Credential and Access Management group;\n       however, the IRS\xe2\x80\x99s testing of these solutions has been designated as low priority due to\n       insufficient funding and resources, as well as its current focus to increase mandatory use\n       of PIV cards for network access, which it sees as a top priority in the progression towards\n       full HSPD-12 implementation. As of May 30, 2014, the IRS reported to have\n       3,070 people with privileged network accounts.\n   \xef\x82\xb7   The IRS currently has several systems and software which are not HSPD-12 compliant.\n       The HSPD-12 project team provided a list of 25 technologies currently in use at the IRS\n       that users have reported as incompatible with the use of PIV cards, and 18 additional\n       technologies that potentially will cause conflicts. Some examples of these incompatible\n       technologies include: Jabber\xc2\xae, a product by Cisco\xc2\xae that provides instant messaging;\n       pcAnywhere\xe2\x84\xa2, a remote control solution by Symantec\xe2\x84\xa2 that allows helpdesk staff to\n       access remote computers to resolve issues quickly; Control-M, a product by BMC\n       Software that provides workload automation; and Business Object Enterprise, a product\n       by SAP\xc2\xae that provides reporting and information delivery. The HSPD-12 project team\n       cannot enable mandatory use of PIV cards for the users of the incompatible technologies\n       until solutions to resolve the conflicts are found.\nBeginning in April 2014, the HSPD-12 project team embarked on an ambitious implementation\nschedule where they hope to implement mandatory use of PIV card for access to the IRS network\nfor more than 30,000 additional IRS network users. This effort will bring the total number of\nnetwork users required to logon with their PIV cards to approximately 35,700 (38 percent of\nnetwork users) by the end of FY 2014. As technological solutions are developed for\nincompatible technologies, mandatory PIV card logon will be enabled for additional network\nusers.\n\n\n\n                                                                                          Page 12\n\x0c                          Progress Has Been Made; However, Significant\n                          Work Remains to Achieve Full Implementation of\n                           Homeland Security Presidential Directive 12\n\n\nWhile the IRS has made some progress in updating information systems to\naccept PIV cards, more work needs to be done\nIn addition to network access, HSPD-12 requires PIV card authentication to Federal systems and\napplications. Treasury Department policy requires that all existing systems must be upgraded to\nuse PIV credentials prior to the agency using development and technology refresh funds to\ncomplete other activities. Treasury Department policy also requires that new systems under\ndevelopment must be enabled to use PIV credentials prior to being made operational.\nThe IRS has not implemented PIV card access to most of its existing information systems and\napplications yet and has conducted limited work in this area. No IRS information systems are\nexclusively accessed using PIV cards yet. The IRS has many legacy systems that do not work\nwith the PIV card, and a fix must be developed before users can be required to logon with a PIV\ncard. Although the IRS has made recent progress in this area, challenges still exist. For\nexample, the Remittance Transaction Research system was recently updated to support the use of\nthe PIV card. The application itself has about 22,000 users, not all of whom have been issued\nPIV cards. Therefore, the IRS must continue to allow employees without PIV cards access to\nthis application. While this is progress, more must be done to ensure that all employees are\nissued cards so that the IRS can enforce the use of PIV cards across all of its infrastructure and\napplication services. Implementing solutions to allow these applications to use the card must be\nmade a priority.\nDue to limited staffing and funding, implementing mandatory logon to the IRS network using\nPIV cards has been a higher priority than implementing PIV card access to all IRS information\nsystems. The IRS\xe2\x80\x99s information technology infrastructure has historically been highly\ndecentralized, and systems tend to be implemented at the project or program level.\nAuthentication is implemented, in most cases, on an application-by-application basis. To\nsuccessfully implement \xe2\x80\x9cHSPD 12 compliant\xe2\x80\x9d applications utilizing a central authentication\nsource, identity store consolidation and identity data normalization must take place. The\nHSPD-12 project team has to develop a supporting strategy that clearly articulates how to build\nthe infrastructure needed by application owners to make their applications compliant with\nNational Institute for Standards and Technology guidelines for utilizing PIV credentials. This\nstrategy must also make certain that new infrastructure components are compliant with these\nguidelines before becoming operational.\nThe HSPD-12 project team has developed an IIAM Project Management Plan that provides a\nstrategy for building the centralized identity management infrastructure needed to achieve\nHSPD-12 compliance and meet the Treasury Department\xe2\x80\x99s goals and time frames. This plan\nalso identifies challenges that remain in achieving full PIV enablement, including the limited\nfunding and staffing based on the project\xe2\x80\x99s prioritization; the long-term approach needed given\nthe size and complexity of the IRS, its business processes, and the critical nature of many of its\nfacilities, systems, and applications; and the current multiple technical environments that\nfrustrate a single-enterprise solution. The plan calls for governance oversight and regular\n\n                                                                                            Page 13\n\x0c                         Progress Has Been Made; However, Significant\n                         Work Remains to Achieve Full Implementation of\n                          Homeland Security Presidential Directive 12\n\n\nstakeholder communications to discuss and resolve matters that have impact and require\ncoordination IRS-wide. The current plan also calls for the reuse of existing infrastructure\ncomponents where possible, adding only new components where absolutely necessary. This plan\nhas the potential to accelerate the adoption of the use of PIV cards if given the proper\norganizational support.\nThe IRS acknowledges its stewardship responsibilities for ensuring that both agency mission and\nsecurity objectives are achieved. However, due to constant budget constraints, a key strategy for\nthe IRS Information Technology organization has been to use a risk-based approach towards\nbalancing business results with security requirements in order to continue to provide the core\ninformation technology deliverables for achieving mission objectives. However, without full\nimplementation of HSPD-12 compliant authentication services, the IRS network and information\nsystems are at an increased risk of unauthorized access. If funding, staffing, and technical issues\nare not resolved, full implementation of HSPD-12 compliant authentication will continue to be\ndelayed. In addition, without adequate education and oversight to prevent development or\npurchase of noncompliant systems or software, full implementation of HSPD-12 will never be\nachieved.\n\nRecommendations\nThe Chief Technology Officer should:\nRecommendation 2: Continue to provide oversight and drive implementation of HSPD-12\nrequirements while balancing resource demands to meet IRS mission objectives. To ensure full\nimplementation of mandatory PIV card access to the IRS network and information systems,\nspecific requirements, staffing, and scheduling should be identified and adequate funding\nrequested to cover those needs, including:\n   \xef\x82\xb7   Specific equipment and support needs should be clearly identified, including hardware\n       and software requirements, testing needs, and any contractor expertise needed.\n   \xef\x82\xb7   Specific staffing needs should be clearly identified to ensure that not only the requisite\n       number of staff is assigned to HSPD-12, but that staff with the correct skills are assigned\n       to the appropriate activities.\n   \xef\x82\xb7   Detailed milestones should be developed and progress on those milestones should be\n       regularly reported to the Chief Technology Officer as part of a detailed plan to implement\n       mandatory logon to IRS networks and information systems with PIV cards and resolve\n       the administrator access issue.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\n       Chief Technology Officer will continue to oversee and identify funding needed to support\n       implementation of the HSPD-12 requirements. To the extent funding is provided, the\n\n\n                                                                                           Page 14\n\x0c                         Progress Has Been Made; However, Significant\n                         Work Remains to Achieve Full Implementation of\n                          Homeland Security Presidential Directive 12\n\n\n       Chief Technology Officer will continue with implementation of mandatory PIV card\n       access to the IRS network and information systems as well as:\n   \xef\x82\xb7   Equipment and support;\n   \xef\x82\xb7   Staffing; and\n   \xef\x82\xb7   Development of milestones for full implementation, contingent on funding.\nRecommendation 3: Issue an IRS-wide memorandum reiterating the OMB M-11-11\nrequirement for full adoption of PIV credentials for logical access to the IRS network and\ninformation systems.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\n       Chief Technology Officer will issue an IRS-wide memorandum reiterating the IRS\xe2\x80\x99s\n       enterprise-wide program to meet the OMB M-11-11 requirement mandating agencies to\n       continue implementation of HSPD-12 policy. The policy is to protect the Nation\xe2\x80\x99s\n       infrastructure with the full adoption of PIV credentials for logical access to agency\n       network and information systems.\nRecommendation 4: Ensure that HSPD-12 compliant requirements are integrated in the\nIRS\xe2\x80\x99s lifecycle management process to ensure that new and existing systems implement this\nrequirement.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\n       Chief Technology Officer will: 1) notify the Enterprise Services organization to add the\n       use of the PIV as a requirement to all enterprise lifecycle artifacts and solutions\n       development processes, and 2) ensure that the use of the PIV card is fully detailed in the\n       Enterprise Architecture.\n\n\n\n\n                                                                                          Page 15\n\x0c                           Progress Has Been Made; However, Significant\n                           Work Remains to Achieve Full Implementation of\n                            Homeland Security Presidential Directive 12\n\n\n                                                                                         Appendix I\n\n         Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine the IRS\xe2\x80\x99s progress in implementing\nHSPD-12 requirements for accessing IRS facilities and information systems. To accomplish this\nobjective, we:\nI.      Determined the current status of the IRS\xe2\x80\x99s HSPD-12 implementation, and identified\n        issues impeding its full and timely implementation.\n        A. Documented and reviewed pertinent HSPD-12 requirements, including the HSPD-12\n           Directive, OMB memos, National Institute of Standards and Technology publications,\n           Federal Cross-Agency Priority Goals, and summarized requirements and time frames\n           for compliance.\n        B. Obtained and reviewed documentation of the most recent IRS goals and\n           implementation status.\n        C. Consulted with key IRS personnel regarding the challenges faced relating to\n           implementation and the root causes of those challenges.\nII.     Followed up on IRS corrective actions pertaining to the September 2012 TIGTA report\n        recommendations.1\n        A. Determined whether the IRS Labor Relations office completed negotiations with the\n           National Treasury Employees Union on mandatory use of PIV cards.\n        B. Determined whether the IRS appointed a project manager to lead the IIAM project\n           and provided sufficient full-time staffing and resources to the IIAM project.\n        C. Determined whether the IIAM project manager selected the most feasible method to\n           implement two-factor authentication for administrators and coordinated the activities\n           needed to implement the interim and long-term solutions.\n        D. Determined whether the IIAM project manager prioritized and coordinated the work\n           to establish the infrastructure needed to PIV-enable information systems.\n        E. Determined whether the IIAM project manager coordinated and led the activities to\n           plan, develop, test, and deploy two-factor authentication using PIV cards for logical\n           access to the Enterprise Remote Access Project.\n\n\n1\n TIGTA, Ref. No. 2012-20-115, Using SmartID Cards to Access Computer Systems Is Taking Longer Than\nExpected (Sept. 2012).\n                                                                                                 Page 16\n\x0c                                  Progress Has Been Made; However, Significant\n                                  Work Remains to Achieve Full Implementation of\n                                   Homeland Security Presidential Directive 12\n\n\n           F. Determined whether the Cybersecurity organization ensured that an event-driven\n              security control assessment for the General Support System 32 was completed by\n              December 30, 2012, to ensure that security risks and vulnerabilities were identified\n              and mitigated.\n           G. Determined whether the project manager coordinated with the Applications\n              Development organization Enterprise Systems Testing function staff to ensure that all\n              required testing was completed and the results presented to the Security Services and\n              Privacy Executive Steering Committee by December 30, 2012.\n           H. Determined whether the Enterprise Life Cycle office validated that required\n              Enterprise Life Cycle reviews, including Milestone Readiness Reviews, are properly\n              conducted and all required artifacts2 are finalized and approved by the required\n              officials listed within the artifacts.\n           I. Determined whether the project manager conducted the: 1) Functional Configuration\n              Audit, 2) Physical Configuration Audit, and 3) Life Cycle Stage Review for the\n              Integration Test and Evaluation.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined that the\nfollowing internal controls were relevant to our audit objective: Federal directives and guidance\non HSPD-12, including the HSPD-12 Directive, OMB memos, National Institute of Standards\nand Technology publications, General Service Administration guidance, Department of the\nTreasury and IRS policies, and Federal Cross-Agency Priority Goals. We evaluated these\ncontrols by reviewing the Federal directives, guidance, and goals related to HSPD-12. We\ninterviewed the IRS IIAM project manager and staff with duties related to HSPD-12. We also\nobtained and reviewed documentation of the most recent IRS HSDP-12 goals and\nimplementation status.\n\n\n\n\n2\n    An artifact is the tangible result of an activity or task performed during the lifecycle of a project.\n                                                                                                             Page 17\n\x0c                        Progress Has Been Made; However, Significant\n                        Work Remains to Achieve Full Implementation of\n                         Homeland Security Presidential Directive 12\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nJody Kitazono, Audit Manager\nBret Hunter, Lead Auditor\nLarry Reimer, Senior Auditor\nChanda Stratton, Senior Auditor\n\n\n\n\n                                                                                     Page 18\n\x0c                       Progress Has Been Made; However, Significant\n                       Work Remains to Achieve Full Implementation of\n                        Homeland Security Presidential Directive 12\n\n\n                                                                 Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Cybersecurity OS:CTO:C\n\n\n\n\n                                                                        Page 19\n\x0c                          Progress Has Been Made; However, Significant\n                          Work Remains to Achieve Full Implementation of\n                           Homeland Security Presidential Directive 12\n\n\n                                                                               Appendix IV\n\n        Internal Revenue Service Personal Identity\n       Verification Card Issuance and Use Graphics\n\nThis appendix presents the IRS PIV card program, which involves multiple steps, data sources,\nand personnel. Figure 1 depicts the basic IRS PIV card (also called SmartID) issuance process.\n                         Figure 1: IRS PIV Card Issuance Process\n\n\n\n\n   Source: IRS HSPD-12 Project Management Office policies and processes.\n\n                                                                                        Page 20\n\x0c                          Progress Has Been Made; However, Significant\n                          Work Remains to Achieve Full Implementation of\n                           Homeland Security Presidential Directive 12\n\n\nThe PIV card itself is coded with digital information which identifies an employee using various\nattributes. The digital information is read by card readers at entrances to, or within, IRS facilities\nto gain physical access to those facilities, or by computers to gain logical access to computers,\nnetworks, or applications. The card also includes visible identifiers for human verification such\nas a photo, name, title, and agency. Figure 2 provides an example of a typical PIV card.\n                                  Figure 2: Typical PIV Card\n\n\n\n\n                                  Source: IRS Mandatory SmartID User Guide.\n\nOnce access is gained to an IRS facility, the PIV card is inserted into an IRS computer. Figure 3\nprovides an example of how a PIV card is inserted into a card reader within a computer.\n                      Figure 3: Example of How to Insert a PIV Card\n\n\n\n\n           Source: IRS Mandatory SmartID User Guide.\n\n\n                                                                                             Page 21\n\x0c                          Progress Has Been Made; However, Significant\n                          Work Remains to Achieve Full Implementation of\n                           Homeland Security Presidential Directive 12\n\n\nOnce the PIV card is inserted into the computer, software reads the information on the PIV card\nand asks the user to enter his or her PIN. Figure 4 illustrates the screen asking for the user\xe2\x80\x99s PIN.\n                          Figure 4: Screen Asking for User\xe2\x80\x99s PIN\n\n\n\n\n                         Source: IRS Mandatory SmartID User Guide.\n\nAfter the employee enters his or her PIN, the employee has access to the IRS computer and\nnetwork.\n\n\n\n\n                                                                                            Page 22\n\x0c        Progress Has Been Made; However, Significant\n        Work Remains to Achieve Full Implementation of\n         Homeland Security Presidential Directive 12\n\n\n                                                  Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                         Page 23\n\x0cProgress Has Been Made; However, Significant\nWork Remains to Achieve Full Implementation of\n Homeland Security Presidential Directive 12\n\n\n\n\n                                                 Page 24\n\x0cProgress Has Been Made; However, Significant\nWork Remains to Achieve Full Implementation of\n Homeland Security Presidential Directive 12\n\n\n\n\n                                                 Page 25\n\x0cProgress Has Been Made; However, Significant\nWork Remains to Achieve Full Implementation of\n Homeland Security Presidential Directive 12\n\n\n\n\n                                                 Page 26\n\x0c'